Description
Policy bypass in ServiceWorkers in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-04-08
Score: n/a
EPSS: n/a
KEV: No
Impact: Content Security Policy Bypass
Action: Patch
AI Analysis

Impact

The vulnerability is a policy bypass in the ServiceWorker implementation of Google Chrome that allows a maliciously crafted HTML page to defeat the browser’s Content Security Policy. An attacker who can host such a page that a user visits can inject scripts, load forbidden resources, and bypass script restrictions, potentially leading to theft of sensitive information or execution of malicious code.

Affected Systems

This issue affects Google Chrome desktop builds earlier than version 147.0.7727.55. All browsers prior to that release are vulnerable; the security update that mitigates the flaw is included in Chrome 147.0.7727.55 and later.

Risk and Exploitability

The CVE carries a Chromium security severity of Low, no EPSS score is available, and it is not listed in CISA’s KEV catalog. Exploitation requires a user to open a crafted HTML page, so the attack vector is remote web content. While it may be mitigated by user awareness, the safest approach is to update the browser promptly. No workaround has been provided by the vendor.

Generated by OpenCVE AI on April 8, 2026 at 23:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 147.0.7727.55 or later.
  • Enable automatic browser updates to receive future security patches.

Generated by OpenCVE AI on April 8, 2026 at 23:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Title Policy Bypass in Chrome ServiceWorkers Enables CSP Circumvention
First Time appeared Google
Google chrome
Weaknesses CWE-79
Vendors & Products Google
Google chrome

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Policy bypass in ServiceWorkers in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-04-08T21:21:05.248Z

Reserved: 2026-04-08T19:34:46.189Z

Link: CVE-2026-5911

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-08T22:16:31.010

Modified: 2026-04-08T22:16:31.010

Link: CVE-2026-5911

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:26:07Z

Weaknesses